Home

Description

U-Boot through 2026.04-rc3 contains a buffer overflow vulnerability in nfs_readlink_reply() (net/nfs-common.c) when CONFIG_CMD_NFS is enabled, allowing a malicious or compromised NFS server to overflow the 2048-byte nfs_path_buff buffer by returning multiple relative symlink targets that are appended without cumulative length validation. Attackers can send two or more READLINK responses containing relative symlink targets of approximately 1100 bytes each to corrupt adjacent BSS variables including nfs_server_ip, nfs_server_mount_port, nfs_server_port, nfs_our_port, nfs_state, and rpc_id, potentially achieving memory corruption and control over the NFS client state machine.

PUBLISHED Reserved 2026-03-03 | Published 2026-07-08 | Updated 2026-07-08 | Assigner VulnCheck




HIGH: 8.8CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:L/VA:H/SC:N/SI:N/SA:N

HIGH: 8.2CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:H

Problem types

Buffer Copy without Checking Size of Input ('Classic Buffer Overflow')

Product status

Default status
affected

Any version
affected

Credits

Kazuma Matsumoto, a security researcher at GMO Cybersecurity by IERAE, Inc. finder

VulnCheck finder

References

lists.denx.de/pipermail/u-boot/2026-May/617853.html (Mailing List Outreach) issue-tracking

u-boot.org/ (Project Webpage) product

www.vulncheck.com/...-in-nfs-readlink-reply-via-nfs-readlink third-party-advisory

cve.org (CVE-2026-29009)

nvd.nist.gov (CVE-2026-29009)

Download JSON